Cisco, ISS file suit against rogue researcher

'The right thing to do here is to make sure that everyone knows that it's vulnerable'

Common Topics

LAS VEGAS--Networking giant Cisco and security company Internet Security Systems filed on Wednesday a restraining order against the management of the Black Hat Conference and a security expert who told conference attendees that attackers can broadly compromise Cisco routers.

The legal action followed a presentation by security researcher Michael Lynn, a former ISS employee, who brushed off threats of legal action and a broad effort to delete his presentation from conference materials to warn attendees that malicious programs could be run on Cisco routers.

While the information had already been presented by Lynn, a Cisco spokesman said that the companies wanted to prevent further dissemination of inside information about Cisco's routers.

"We don't want them to further discuss it," said Cisco spokesman John Noh. "This is about protecting our intellectual property."

Three weeks of intense discussions between ISS, the researcher, Cisco, and conference management failed on Wednesday. Two days before, Cisco representatives spent eight hours ripping out the ten-page presentation from the conference book and ISS executives decided to pull the presentation, allowing researcher Lynn to speak on a different topic.

In a dramatic reversal on Wednesday, Lynn told attendees he tendered his resignation to ISS less than two hours before he went on stage to present his findings, then proceeded to describe a reliable way to run programs by exploiting the Internet Operating System (IOS), the core software for Cisco routers.

"I feel I had to do what's right for the country and the national infrastructure," he said. "It has been confirmed that bad people are working on this (compromising IOS). The right thing to do here is to make sure that everyone knows that it's vulnerable."

A majority of the Internet infrastructure relies on Cisco networking hardware to route data from one computer to another. While security researchers have found flaws in the IOS router software in the past, almost all the vulnerabilities have only allowed an attacker to degrade communications in what is known as a denial-of-service attack.

Lynn outlined a way to take control of an IOS-based router, using a buffer overflow or a heap overflow, two types of memory vulnerabilities. He demonstrated the attack using a vulnerability that Cisco fixed in April. While that flaw is patched, he stressed that the attack can be used with any new buffer overrun or heap overflow, adding that running code on a router is a serious threat.

"When you attack a host machine, you gain control of that machine--when you control a router, you gain control of the network," Lynn said.

ISS disavowed any foreknowledge of Lynn's intent to resign and present his findings. Cisco condemned the talk in strong terms that suggested the company may initiate legal action against the researcher and the conference, describing the presentation as the illegal publication of proprietary material.

"It is especially regretful, and indefensible, that the Black Hat Conference organizers have given Mr. Lynn a platform to publicly disseminate the information he illegally obtained," the company said in a statement. "We appreciate the cooperation we have received from ISS in this matter. We are working with ISS to continue our joint research in the area of security vulnerabilities."

For his part, Black Hat Conference organizer and founder Jeff Moss denied that he had any idea of Lynn's intent.

"He told me yesterday that he would do his backup presentation," Moss said after the controversial presentation. Moss said he had worked hard to address Cisco's concerns with the original presentation. "We were in the middle of trying to run a conference and lawyers from Cisco were talking about a temporary restraining order."